CVE-2024-45858

CVE-2024-45858 affects Guardrails AI Guardrails framework versions 0.2.9–0.5.10. The root cause is improper validation of XML files, where loading a malicious XML containing Python code causes the code to be passed to eval and executed on the user’s machine. The vulnerability enables arbitrary co...

CVE-2024-45858

An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing i...

Eval Injection

MindsDB is vulnerable to Eval Injection. The vulnerability is caused by improper validation of Python code in specially crafted ‘INSERT’ queries, which are executed via an unprotected eval function on the server, allowing an attacker to execute arbitrary code...

Eval Injection

MindsDB is vulnerable to Eval Injection. The vulnerability is due to unsanitized input in the Microsoft SharePoint integration, where a specially crafted 'INSERT' query for site column creation allows Python code to be passed to an eval function and executed on the server...

Exploit for Code Injection in Geoserver

CVE-2024-36401-PoC Proof-of-Concept Exploit for CVE-2024-36401...

Code Injection

refuelautolabel is vulnerable to Code Injection. The vulnerability caused by improper use of the eval function to process CSV files in classification tasks. If a maliciously crafted CSV file containing Python code is provided, the eval function executes this code, leading to arbitrary code...

Code Injection

MindsDB is vulnerable to Code Injection. The vulnerability is due to the unsafe use of the eval function, which directly executes input Python code without proper validation. It allows an attackers to inject and execute arbitrary code via the 'SELECT WHERE' clause...

Eval Injection

MindsDB is vulnerable to Eval Injection. The vulnerability is due to unsanitized input in the Microsoft SharePoint integration within sharepointapi.py, where a specially crafted 'INSERT' query containing Python code is passed to the eval function, allowing an attacker to execute arbitrary code on...

Eval Injection

MindsDB is vulnerable to Eval Injection. The vulnerability is due to unsanitized input in several integrations, where a specially crafted 'UPDATE' query containing Python code is passed to an eval function and executed on the server...

Eval Injection

MindsDB is vulnerable to arbitrary code execution. The vulnerability is due to unsanitized input in the ChromaDB integration, where a specially crafted 'INSERT' query containing Python code is passed to an eval function and executed on the server...

MindsDB Eval Injection vulnerability

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list item creation. If such a...

GHSA-WF9G-C67G-H4CH MindsDB Eval Injection vulnerability

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list item creation. If such a...

GHSA-WCJW-3V6P-4V3R MindsDB Eval Injection vulnerability

An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the Weaviate engine,...

GHSA-CRMG-RP64-5CM3 MindsDB Eval Injection vulnerability

An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is run against a database created with the specified integration...

Refuel Autolab Eval Injection vulnerability

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code...

GHSA-G2M8-F3X2-QPRW Refuel Autolab Eval Injection vulnerability

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code...

MindsDB Eval Injection vulnerability

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list creation. If such a query i...

MindsDB Eval Injection vulnerability

An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the Weaviate engine,...

GHSA-4FGP-7VVM-M4JF Refuel Autolab Eval Injection vulnerability

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python...

GHSA-C85F-PCX6-2GHM MindsDB Eval Injection vulnerability

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list creation. If such a query i...